RE: [ActiveDir] pw reset domain account

[Richard Kline]

Been reading this and, like the other folk, am unsure as to why a generic user account / password combination must be used in lieu of the passworded account that the user is attempting to change.     But, be that is it may.  I’ll take it for granted that it is an unavoidable situation.   Someone could conceivably use the generic username/password combination to log directly into the domain on a Windows 2000/XP workstation.   Once there, the chances that our nefarious guest will obtain other valid account names and shares go way up!   It could be argued that you’re better off having the website accessible through enabled Anonymous Access (presumably IIS is being used).  You could configure the generic account and password combination to be used through IIS Admin.    At least it wouldn’t be public knowledge.  SSL would be highly advised!   Richard     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AWS Sent: Sunday, June 25, 2006 6:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] pw reset domain account   There's a proposal at my company for a self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intent is to publicize the account and password so that it can be used from any users' pc when needed.   They have an account-specific OU/GPO configuration which locks down the typical stuff you would expect, but my position is that there are too many unknown vectors for such an account to be abused.    Since I don't dabble in the various black hat utils du jour, does anyone have any thoughts on how a globally known domain account could be hacked upon? Conversely, is there any way such an account could be effectively locked down?   Thanks, AW